npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

submitgate

v0.35.2

Published

Cross-platform mobile compliance & risk scanner. Deterministic, CI-first — scans iOS and Android app artifacts for privacy, security, and compliance issues.

Downloads

294

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

drkhannahdrkhannah

Keywords

submitgatemobile-complianceapp-submissionapp-reviewapp-storeapp-store-reviewgoogle-playplay-storeiosandroidprivacy-manifestrequired-reason-apiapp-transport-securityatsrelease-gatemobile-securitycicliipaapkaabxcarchive

Readme

SubmitGate

Cross-platform mobile compliance & risk scanner. Deterministic, CI-first — scans iOS and Android app artifacts for privacy, security, and compliance issues.

Support

report issues at submitgate-support

Supported Artifacts

  • iOS: .xcarchive, .ipa, .app
  • Android: .apk, .aab

Quickstart

# Scan an iOS app
npx submitgate scan ios MyApp.xcarchive --summary

# Scan an Android app
npx submitgate scan android MyApp.apk --summary

License Token

A license token is required. Get a free trial at the SubmitGate portal (https://submit-gate.com/portal/) — enter your email and check your inbox.

Set the token as an environment variable:

export SUBMITGATE_LICENSE="<your-token>"

Dev builds may also require SUBMITGATE_LICENSE_PUBLIC_KEY_PEM — see the packaged docs for details.

GitHub Actions CI

Pin the version for deterministic CI. Replace <VERSION> with the version you want (e.g. 0.36.0).

Prerequisites

  1. Add SUBMITGATE_LICENSE as a GitHub Actions secret in your repo or org.
  2. Your workflow must build or download the app artifact before scanning. Replace <ARTIFACT_PATH> with the path to your built artifact.

SARIF scan (recommended)

Uploads results to GitHub Code Scanning so findings appear as alerts on PRs.

name: submitgate

on:
  pull_request:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      # TODO: build or download your app artifact here.

      - name: Run SubmitGate
        id: submitgate
        continue-on-error: true
        env:
          SUBMITGATE_LICENSE: ${{ secrets.SUBMITGATE_LICENSE }}
        run: |
          npx -y submitgate@<VERSION> scan <PLATFORM> <ARTIFACT_PATH> \
            --format sarif \
            --ci --ci-provider github \
            > submitgate.sarif

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: submitgate.sarif

      - name: Fail if issues found
        if: steps.submitgate.outcome != 'success'
        run: exit 1

iOS example (scanning a prebuilt xcarchive):

- name: Run SubmitGate
  id: submitgate
  continue-on-error: true
  env:
    SUBMITGATE_LICENSE: ${{ secrets.SUBMITGATE_LICENSE }}
  run: |
    npx -y submitgate@<VERSION> scan ios build/MyApp.xcarchive \
      --format sarif --ci --ci-provider github > submitgate.sarif

Android example (scanning an APK):

- name: Run SubmitGate
  id: submitgate
  continue-on-error: true
  env:
    SUBMITGATE_LICENSE: ${{ secrets.SUBMITGATE_LICENSE }}
  run: |
    npx -y submitgate@<VERSION> scan android app/build/outputs/apk/release/app-release.apk \
      --format sarif --ci --ci-provider github > submitgate.sarif

JSON + Markdown scan (no SARIF upload)

- name: Run SubmitGate
  env:
    SUBMITGATE_LICENSE: ${{ secrets.SUBMITGATE_LICENSE }}
  run: |
    npx -y submitgate@<VERSION> scan <PLATFORM> <ARTIFACT_PATH> \
      --format both \
      --fail-on BLOCKER

Notes

  • --format sarif writes SARIF to stdout — redirect to a file.
  • --format both writes report.json and report.md to the working directory.
  • Exit codes: 0 = clean, 1 = findings at threshold, 6 = license error.
  • Scans are fully offline — no network calls during the scan.
  • security-events: write permission is required for SARIF upload.

Configuration

Scaffold config files in your project:

npx submitgate init --ci github --baseline

This creates submitgate.config.json, submitgate.policy.json, and a GitHub Actions workflow.

Policy files

Policy files let you override severities, disable rules, or set per-rule fail thresholds:

{
  "schemaVersion": 1,
  "rules": [
    {
      "ruleId": "IOS_PRIVACY_MANIFEST",
      "when": { "baselineState": "new" },
      "severity": "BLOCKER"
    },
    {
      "ruleId": "IOS_PRIVACY_MANIFEST",
      "when": { "baselineState": "unchanged" },
      "severity": "INFO"
    }
  ]
}

Pass with --policy ./submitgate.policy.json.

Baselines

Baselines let CI fail only on new findings, not pre-existing ones:

# One-time: create baseline from current state
npx submitgate baseline create <PLATFORM> <ARTIFACT_PATH> --out baseline.json

# CI: scan against baseline (fails only on regressions)
npx submitgate scan <PLATFORM> <ARTIFACT_PATH> --baseline baseline.json --fail-on BLOCKER

Commit baseline.json to your repo. Do not regenerate it on every CI run.

Features

  • iOS: Privacy manifest validation, debuggable build detection, App Tracking Transparency checks
  • Android: Network security config, debuggable builds, target SDK validation, ad ID usage, permission declarations
  • Output formats: JSON, Markdown, SARIF
  • Policy engine: Customizable severity rules with baseline differential analysis
  • CI integration: GitHub Actions annotations, step summaries, SARIF upload

Further Reading

Full CI integration docs (policy files, baselines, aggregate scans, debug flags) are included in the npm package at github-actions.md.

License

See LICENSE for details.